Malware Command and Control (C&C) channels can take many shapes and forms—it can be centralized, point-to-point (P2P) based, fast-flux, etc. No matter what the channel type is, each malware instance must receive commands from a master which controls the malware continuously over time; otherwise the instance of malware could not fulfill its purpose. If the malware communicates with its controller via the centralized channel, it creates so called persistent connections between a compromised computer and a C&C server.
It is understood that referring to a network connection as a “persistent connection” indicates that the connection occurs repeatedly in time, it does not suggest that the connection is periodic or ongoing, or that every occurrence of the connection has the same properties.
The necessity to receive new commands from the controller and/or to upload stolen data suggests that every connection that is part of a C&C channel is also persistent. However, it does not hold true vice versa—not every persistent connection is malicious. In fact, most persistent connections are legitimate.